當使用powershell來調查Certificate Provider我注意到所有的路徑似乎類似但不同於certmgr內的文件夾結構。它似乎很清楚:有誰知道powershell證書提供程序路徑如何映射到certmgr.msc文件夾?
Certs:\LocalMachine ~= Certificates (Local Computer)
Certs:\CurrentUser ~= Certificates - Current User
我也在猜測:
Root ~= Trusted Root Certification Authority
My ~= Personal
WebHosting ~= WebHosting
...
但我一直無法找到任何形式的官方參考(甚至是明智的解釋)給我warm fuzzy我正在尋找...
我的目的是在本地(服務器和客戶端)測試https WCF服務。我可以使用New-SelfSignedCertificate輕鬆生成服務器所需的自簽名證書。但是,如果我嘗試將我的客戶端(也稱爲.NET)指向該服務,則無法連接,因爲該服務提供了不受信任的證書。
我發現各種過時引用(如this one),顯示我如何使用的makecert(現在已廢棄),以及certmgr組合生成一個證書頒發機構,然後用它來簽收證書我https服務,然後將證書頒發機構證書安裝到受信任的根證書頒發機構容器中,以使所有內容都能正常工作。儘管這種方法可能有效,但它肯定不是開發人員/自動化友好的。
這麼說,我能使用PowerShell來做到這一點:
$my_cert_store_location = "Cert:\LocalMachine\My"
$root_cert_store_location = "Cert:\LocalMachine\Root"
$root_friendly_name = "Test Root Authority"
$root_cert_subject = "CN=$($root_friendly_name)"
# The ip and port you want to reserve for your app
$ipport = "127.0.0.11:8734"
# Your app guid (found in ApplicationInfo.cs)
$appid = "{f77c65bd-d592-4a7b-ae32-cab24130fdf6}"
# Your dns name
$dns_name = "my-machine-local"
$rebuild_root_cert = $false
$root_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)}
if ($root_cert -and $rebuild_root_cert)
{
Get-ChildItem $root_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)} |
Remove-Item
Remove-Item $root_cert
$root_cert = $false
}
if (-not $root_cert)
{
$root_cert = New-SelfSignedCertificate `
-Type Custom `
-FriendlyName $root_friendly_name `
-HashAlgorithm sha384 `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-Subject $root_cert_subject `
-KeyUsage DigitalSignature, CertSign `
-NotAfter (Get-Date).AddYears(20) `
-CertStoreLocation $my_cert_store_location
Write-Output "Created root cert: $($root_cert.Thumbprint)"
$exported_cert = New-TemporaryFile
Export-Certificate -Cert $root_cert -FilePath $exported_cert.FullName
$imported_root_cert = Import-Certificate -FilePath $exported_cert.FullName `
-CertStoreLocation $root_cert_store_location
Write-Output "Imported root cert to: $($root_cert_store_location)\$($imported_root_cert.Thumbprint)"
}
Write-Output "Root cert is: $($root_cert.Thumbprint)"
$test_signed_cert_subject = "CN=$($dns_name)"
$test_signed_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($test_signed_cert_subject)}
if (-not $test_signed_cert)
{
$test_signed_cert = New-SelfSignedCertificate `
-Type Custom `
-Subject $test_signed_cert_subject `
-FriendlyName $dns_name `
-Signer $root_cert `
-CertStoreLocation $my_cert_store_location
Write-Output "Created signed cert: $($test_signed_cert.Thumbprint)"
}
Write-Output "Signed cert is: $($test_signed_cert.Thumbprint)"
if ($test_signed_cert)
{
netsh http delete sslcert `
ipport="$($ipport)"
netsh http add sslcert `
ipport="$($ipport)" `
appid="$($appid)" `
certstorename="My" `
certhash="$($test_signed_cert.Thumbprint)"
Write-Output "Assigned signed cert to: $($ipport)"
}
但問題仍然有效...是否有關於證書提供商路徑如何映射到certmgr文件夾的任何信息?
謝謝,這正是我正在尋找的。你有鏈接到源材料(微軟官方文檔),或者這只是你隨着時間的推移而學習的東西嗎? – Lucas
我從各種MSDN文章中收集了這些信息(很久以前),並且我不太可能恢復確切的鏈接。它存在於我的內部文檔中。 – Crypt32
很酷,我將不得不查看你的[pki項目](https://pspki.codeplex.com/SourceControl/list/changesets?branch=default),因爲我上面列出的努力會繼續陷入信任問題。不知道我做錯了什麼。再次感謝。 – Lucas